From b1aec609bb5e0d08c25c888c91935287ab4ee5fa Mon Sep 17 00:00:00 2001 From: Mateusz Furdyna Date: Wed, 10 Jun 2026 16:25:33 +0200 Subject: net: clear IP defragmentation state after returning a complete packet During the IP defragmentation process, after the reassembly is finished with the last packet arriving with MF=0, the reassembly state wrt. static counters is not cleared. In case this last arriving packet with MF=0 gets duplicated, payload bytes are mistakenly treated as hole data. A malicious actor who can deliver fragmented IP traffic to a U-Boot instance with CONFIG_IP_DEFRAG=y can corrupt memory via out-of-bound writes and redirect control flow into attacker-supplied payload bytes that already sit in `pkt_buff[]`. Publicly available AI models are able to generate a reproducer based on the provided information. Fix: once the assembled packet has been handed back to the caller, mark the reassembly state empty so that any further fragment (duplicate, replay, or a brand-new datagram that happens to reuse the `ip_id`) goes through the normal re-init path and rebuilds a clean hole list instead of dereferencing payload bytes as struct hole. Fixes: 5cfaa4e54d0e ("net: defragment IP packets") Reported-by: Mariusz Madej Reviewed-by: Simon Glass Acked-by: Alessandro Rubini Signed-off-by: Mateusz Furdyna --- net/net.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/net/net.c b/net/net.c index ae3b977781f..61c5a6ef6c4 100644 --- a/net/net.c +++ b/net/net.c @@ -1103,6 +1103,15 @@ static struct ip_udp_hdr *__net_defragment(struct ip_udp_hdr *ip, int *lenp) *lenp = total_len + IP_HDR_SIZE; localip->ip_len = htons(*lenp); + + /* + * Mark the reassembly state empty so that any further + * fragment goes through the normal re-init path and + * rebuilds a clean hole list + */ + total_len = 0; + first_hole = 0; + return localip; } -- cgit v1.3.1